Instance based learning framework for effective behavior profiling and anomaly intrusion detection
First Claim
Patent Images
1. A computer implemented instance-based learning method for detecting intruders into a computer comprising:
- capturing historical data input into the computer by a user during a training mode;
profiling the historical data during the training mode by converting streams of shell command traces into fixed length instances;
profiling the fixed length instances to identify normal behavior using a single data structure and a clustering algorithm with respect to the data structure, the data structure comprising a list of tables, the tables among said list of tables having a size that is limited by an upper bound;
determining a representative instance;
comparing the representative instance to the fixed length instances utilizing the clustering algorithm in order to create clusters that are mapped to the tables among said list of tables;
capturing test data input by the user into the computer during an operational mode;
comparing the test data with the profiled historical data in accordance with a predetermined similarity metric during the operational mode to identify test data that falls outside of previously identified clusters,selecting dynamically a set of representative instances, wherein each of the representative instances represents a corresponding one of the clusters,calculating similarity scores between query instances and each of the representative instances,using the similarity metric, producing a real, non-negative root for each similarity score within a predefined interval,using each root, determining the representation in the list of tables of each respective query instancedisplaying a notification upon identifying the test data falling outside previously identified clusters.
1 Assignment
0 Petitions
Accused Products
Abstract
Intruders into a computer are detected by capturing historical data input into the computer by a user during a training mode, by profiling the historical data during the training mode to identify normal behavior, by capturing test data input by the user into the computer during an operational mode, by comparing the test data with the profiled historical data in accordance with a predetermined similarity metric during the operational mode to produce similarity results, and by evaluating the similarity results during the operational mode to identify abnormal data.
-
Citations
21 Claims
-
1. A computer implemented instance-based learning method for detecting intruders into a computer comprising:
-
capturing historical data input into the computer by a user during a training mode; profiling the historical data during the training mode by converting streams of shell command traces into fixed length instances; profiling the fixed length instances to identify normal behavior using a single data structure and a clustering algorithm with respect to the data structure, the data structure comprising a list of tables, the tables among said list of tables having a size that is limited by an upper bound; determining a representative instance; comparing the representative instance to the fixed length instances utilizing the clustering algorithm in order to create clusters that are mapped to the tables among said list of tables; capturing test data input by the user into the computer during an operational mode; comparing the test data with the profiled historical data in accordance with a predetermined similarity metric during the operational mode to identify test data that falls outside of previously identified clusters, selecting dynamically a set of representative instances, wherein each of the representative instances represents a corresponding one of the clusters, calculating similarity scores between query instances and each of the representative instances, using the similarity metric, producing a real, non-negative root for each similarity score within a predefined interval, using each root, determining the representation in the list of tables of each respective query instance displaying a notification upon identifying the test data falling outside previously identified clusters. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A non-transitory computer-readable medium having computer-executable instructions for performing steps to detect intruders into a computer, said steps comprising:
-
capturing historical data input into the computer by a user during a training mode; profiling the historical data during the training mode by converting streams of shell command traces into fixed length instances; profiling the fixed length instances to identify normal behavior using a single data structure and a clustering algorithm with respect to the data structure, the data structure comprising a list of tables, the tables among the list of tables having a size that is limited by an upper bound; determining a representative instance; comparing the representative instance to the fixed length instances utilizing the clustering algorithm in order to create clusters that are mapped to the tables among said list of tables; capturing test data input by the user into the computer during an operational mode; comparing the test data with the profiled historical data in accordance with a predetermined similarity metric during the operational mode to test data that falls outside of previously identified clusters, selecting dynamically a set of representative instances, wherein each of the representative instances represents a corresponding one of the clusters, calculating similarity scores between query instances and each of the representative instances, using the similarity metric, producing a real, non-negative root for each similarity score within a predefined interval, using each root, determining the representation in the list of tables of each respective query instance; wherein the profiling of the historical data further comprises updating a user behavioral profile periodically; and displaying a notification upon identifying the test data falling outside previously identified clusters. - View Dependent Claims (15, 16, 17, 18)
-
-
19. A computer implemented method utilizing an instance based learning framework for detecting intruders into a computer comprising:
-
capturing historical data input into the computer by a user during a training mode; profiling the historical data during the training mode by converting streams of shell command traces into fixed length instances; profiling the fixed length instances to identify normal behavior using a single data structure and a clustering algorithm with respect to the data structure, the data structure comprising a list of tables, the tables among said list of tables having a size that is limited by an upper bound; determining a representative instance; comparing the representative instance to the fixed length instances utilizing the clustering algorithm in order to create clusters that are mapped to the tables among said list of tables; capturing test data input by the user into the computer during an operational mode; comparing the test data with the profiled historical data in accordance with a predetermined similarity metric during the operational mode to test data that falls outside of previously identified clusters, selecting dynamically a set of representative instances, wherein each of the representative instances represents a corresponding one of the clusters, calculating similarity scores between query instances and each of the representative instances, using the similarity metric, producing a real, non-negative root for each similarity score within a predefined interval, using each root, determining the representation in the list of tables of each respective query instance; determining a set of training data falling within a predetermined range of the similarity results produced from the predetermined similarity metric; and displaying a notification upon identifying the test data falling outside previously identified clusters. - View Dependent Claims (20, 21)
-
Specification